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(57) Abstract: A method and device are disclosed for executing applications that involve secure transactions and/or conditional 
access to valuable contents and/or services. The device includes an integrated circuit that has a central processing unit, an internal 
memory, input/output connections for external memory and connection ports for an external interface circuit incorporated on a single 
chip. The internal memory includes a secured memory area accessible to the central processing unit only. The secret memory area 
contains a secret encryption key used for encryption of sensitive data stored in the external memory. Preferably, the chip includes a 
random number generator. A hash value is obtained from a random number generated by the random number generator, the random 
number with its hash value are encrypted with the secret key, and the encrypted random number with its hash value are and stored 
in the external memory. As a result, the device has a chip that is uniquely paired with the external memory. Since the sensitive data 
and/or code are of such nature that proper execution of an application by the device will not be possible unless these data and/or code 
have been successfully decrypted, and the chip will not decrypt the data and/or code unless it has successfully checked its pairing 
with the external memory, the device is effectively protected from use with other than authentic contents of the external memory. 



wo 03/058409 




'CT/EP03/00075 



Protecting a Device Against Unintended Use in a Secure Environment 
5 



Field of the Invention 

The present invention relates to a method of protecting a device against 
10 nnintended use in a secure environment and, in particular, in a conditional access 
enviromnent The invention also relates to a device for executing applications that 
involve conditional access to valuable contents and/or valuable services. 

Background of the Invention 

15 

Examples of applications that involve secure transactions are electronic payment 
and banking; examples of applications that involve conditional access are Digital 
Pay TV, recording of Digital TV and Video on Demand. A device for executing 
such applications can be a module that is embedded in an environment such as a 

20 Set-Top-Box, a chip embedded on the motherboard of a Set-Top-Box, a Smart 
Card reader or a pluggable module such as a PC card that typically includes a 
Smart Card reader. While hardware components in the module ensure high 
performance for tasks such as descrambling of real time video streams, the Smart 
Card mainly has a security functionaliiy. Application code is typically stored into 

25 an external memory of the device, such as a FLASH memory. 
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Conventionally, these devices rely on security that resides in the Sniart Card. To 
the extent, however, that overall security depends on procedures contained in 
application code stored in external or even in internal memory of the device, the 
security functions of the Smart Card can be worked-around by replacmient or 
5 modification of application code. 

Summary of the Invention 

The present invention provides a secure architecture for a device that executes 
10 applications imder high requirements of security. 

According to a fbrst aspect of the invention, a method of protecting a device 
against uniiitended use in a secure environment is provided, where the device is 
adapted to execute applications that involve secure transactions and/or conditional 

15 access to valuable contents and/or services, and the device includes an integrated 
circuit that has a cratral processing unit, an intemal memory and input/output 
coimections for external memory, all incorporated on a single chip. The external 
memory and the chip are uniquely linked by encrypting sensitive appUcation code 
and data with a secret key stored in a secured memory area of the intemal memory 

20 of the dbip, the encrypted code and data being then stored in the extemal memory. 
Any use of the sensitive application code and data will be possible only after 
successfijl decryption with the secret key. Preferably, a random number and its 
hash value are also encrypted with the secret key and stored in the extemal 
memory. On each reset of the device, the enarypted random number and the hash 

25 value are decrypted with the secret key, and decryption of the encrypted sensitive 
code and data is only allowed if the decrypted hash value equals a hash value 
calculated fix)m the decrypted random number. As a result, the chip and extemal 
memory are uniquely paired, i.e. the chip cannot be used with an external memory 
the sensitive contents of which have been altered or exchanged. 

30 

The invention also provides a device for executing applications that involve 
secure transactions and/or conditional access to valuable conteats and/or services. 
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The device includes an integrated circuit that has a central processing unit, an 
internal memory and input/output connections for an external memory, all 
incorporated on a single chip. The internal memory includes a secured memory 
area accessible to the central processing unit only. The secured memory area 

5 contains a secret encryption key used for encryption of sensitive data stored in the 
external memory. Preferably, the chip includes a random number generator. A 
hash value is obtained from a random number generated by the random number 
generator, the random number with its hash value are encrypted with the secret 
key, and the encrypted random number with its hash value are and stored in the 

1 0 external memory. As a result, the device has a chip that is uniquely paired with the 
external memory. Since the sensitive data and/or code are of such nature that 
proper execution of an application by the device will not be possible unless these 
data and/or code have been successfully deoypted, and the chip will not decrypt 
the data and/or code \mless it has successfully checked its pairing wifli the 

1 5 external memory, the device is effectively protected from use with other flian 
authentic contents of the extemal memory. 

The secured memory area may contain authenticity verification data. The internal 
memory may also include a read only memory area containing mandatory 
20 authenticity verification code allowing an application to be executed only after 
successful verification of authenticity. Therefore, only authentic appUcation code 
is executed by the device, and any replacement of application code attempting to 
circumvent safety functionality will not be successful. 

25 As used herem, "authenticity" is understood in a broad sense. In the preferred 

embodiments of flie invention, as defined in the appending claims, "autheiiticity" 
includes integrity, and any fraudulent modification of application code or sensitive 
data results in refusal by the device to execute the application.' 

30 In further preferred embodiments of the invention, as defined in the appending 
claims, any sensitive application code and data are never visible in the clear from 
outside of the device. Sensitive application code and data are stored in encrypted 
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form and decrypted within the device for execution of the application. By adding 
confidentiality to authenticity, an attack will be even more difficult, if not 
impossible, because the contents in memory, as visible firom outside of the device, 
will not be intelligible. 

5 

According to a further aspect of the invention, any application code down-loaded 
into the device is signed witihi a private key of an asymmetric key pair and proper 
execution of the application is subject to a verification of the signature with a 
public key of the key pair. In addition, any application code stored into the 
1 0 external memory is encrypted with a secret key that is stored in a secured memory 
area of the internal memory. 

Short Description of Drawings 

Further advantages and features of the invention will become apparent from the 
following description with reference to the appending drawings. In the drawings: 

Fig. 1 is an overall schematic diagram of a device with a generic secure system 
architecture for a Conditional Access Module (CAM) and a Smart Card Reader 
(SCR); 

Fig, 2A and 2B are diagrams illustrating different embodiments of procedures for 
preparing signed application code to be down-loaded into the device; 

Fig. 3 A to 3D are diagrams illustrating corresponding embodiments of signature 
verification procedures within the device; 

Fig. 4A is a block diagram illustrating a procedure for preparing encrypted 
application code to be downloaded into the device; 

Fig. 4B is a flow-chart illustrating decryption of the down-loaded appUcation; 



15 



20 



25 



30 
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Fig. 5 A and 5B are flow charts illustrating encryption and decryption of 
application code stored in external memory of the device; 

Fig. 6 is a diagram illustrating a procedure of chip pairing whereby a chip is 
5 uniquely linked to contents in an extemal memory of the device; 

Fig. 7 is a diagram illustrating a chip paking verification procedure; 

Fig. 8 is a diagram illustrating a first step of a chip personalization process; and 

10 

Fig. 9 is a diagram illustrating a second step of a chip personalization process; 

Fig. 10 is a schematic representation of a variable assigranent between extemal 
chip pins and internal chip signal lines; and 

15 

Fig. 1 1 is a block diagram of an intrusion detection arrangemCTt. 

Detailed Description of Preferred Embodiments 

20 Overall Device Design 

Referring now to Fig. 1, the device of the present invention includes an 
application specific integrated circuit (ASIC) that is generally designated at 
reference numeral 10. The ASIC 10 incorporates, on a single semiconductor chip, 
25 a number of components; among tiiese components, the following are essential to 
the invention (although the ASIC will typically include other components): 

- a microprocessor unit (jiP) 12, 

- a read only memory (ROM) 14 coimected to fxP 12, 

- an internal secured memory area (ISMA) 16 also coimected to p.P 12. 

30 

Preferably, as shown in Fig. 1, the ASIC also includes a hardware encryption unit 
18 connected to jaP 12 and to an extemal random access memory (RAM) 20 via a 
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bi-directional interface 22, symbolized in Fig. 1 by a double arrow. In addition to 
external RAM 20, the device 10 has an external Flash memory 24 connected to \iP 
12 via a bi-directional interface 26 symbolized in Fig. 1 by a double arrow. The 
device 10 further includes a bi-directional interface 28 for coimection to an 
5 external Smart Card (SC) 30. 

In a specific embodiment, the device 10 incorporates conditional access (CA) 
functionality. Such a device is generally referred to as a CAM (Conditional 
Access Module) for use with a Set-Top-Box (STB) in a digital TV (DTV) 
10 environment. A CAM can be embedded within the STB, or it is a pluggable PC 
(PCMCIA) card fitting into a Common Interface (CI) slot of the STB, and 
incorporates a Smart Card Reader (SCR). Otiier embodiments of the device 10 
include a SCR for use with a Personal Computer under high requirements of 
security. 

15 

Sisned Down-Load 

With reference to Fig. 2A, a first aspect of the invention is that any application to 
20 be executed by the device, at least to the extent it involves sensitive transactions, 
is checked for authenticity and integrity. Generally stated, the application code is 
signed with a key, and execution of the application by the device is subject to a 
positive verification of the signature. Various embodiments of this concept are 
proposed herein. 

25 

In each embodiment, a hash function obtains a hash value from the application 
code. The hash value is encrypted with a private key of a key pair. The public key 
of the key pair is stored in the memory of the device and, being a public key not 
specific to a particular customer, it can be stored in ROM 14. 

30 

In a first embodiment, as seen in Fig. 2A, the key pair includes a private key 
referred to as "SignDownPrK"; in the first embodiment, this SignDownPrK is a 
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Secure Architecture Designer's private key (SADPrivateKey). The corresponding 
pubUc key (SADPublicKey) is stored in ROM 14. In Fig- 2A, "C" is application 
code in the clear, intended to be downloaded into the device. Further, a signature 
"D" in Fig. 2 A is the hash value of the application code as enarypted with the 
5 private key. 

With reference to Fig. 3 A, where like symbols as in Fig. 2A are used, C and D are 
received in the device. A hash value C is obtained from C with a hash function 
read from ROM 14, D is decrypted to D' with the pubUc key (SADPublicKey) 

10 read from ROM 14 using an algorithm stored in ROM 14. If C equals D% the 

application code C is valid and enabled for execution by the device; otherwise, the 
application code C is erased. After validation of application code C, it is loaded 
into RAM 20, preferably after encryption in RAM encryption interface 18. The 
noicroprocessor 12 will have access to application code in RAM 20 without 

1 5 significant loss of performance even though it is encrypted and must be decrypted 
by RAM encryption interface 18 prior to its execution, the RAM encryption 
interface being implemented in hardware. Alternatively or in addition, the 
validated application code is permanently stored, e.g. in extemal memory 24, but 
preferably in encrypted form. 

20 

In a second embodiment, a customer's private key (CustomerPrivateKey) is used 
for encryption of the hash value of application code C, rather than 
SADPrivateKey. 

25 As used herein, "customer** means an organisation that ofiFers valuable services 
and contents to end-users. Typically, the "customer" would purchase the device 
of the present invention, or at least the ASIC 10, from the Secured Architecture 
Designer (SAD) or a contract manufacturer of the SAD, and supply flie device to 
an end-user in a finished product. 

30 

Now, in a first variant of this second embodiment, the public part of a cxistomer 
key pair is stored in internal secured memory area (ISMA) 16. As seen in Fig. 3B, 
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that public key is read from ISMA 16 and used for verification of signature D. All 
other steps are tiie same as those in Fig. 3A. 

In a second variant of the second embodiment, the Secure Ardiitecture 
5 . Designer's pubUc key (SADPubUcKey) is stored in ROM 14, and the customer's 
public key is signed with the SAD Private Key and can, therefore, be safely stored 
in the external memory 24. With reference to Fig. 3C, the CustomerPublicKey is 
first retrieved by decrypting, with SADPublicKey read from ROM 14, the 
enaypted customer's public key read from external memory 24, and then 
10 signature D is verified as in Fig. 3B. 

In a third variant of the second embodiment, and with refereace to Fig. 2B, a 
protected version of the CustomerPublicKey is down-loaded with the plication 
code C into the device, so that the CustomerPublicKey will never be available in 

15 the external memory 24. Spedfically, a hash value of CustomerPublic key is 

encrypted with SADPrivateKey to "F" and downloaded into the device along with 
CustomerPublicKey "E". With reference to Fig. 3D, verification of the 
application's signature is preceded by a vCTification of CustomerPublicKey. 
Downloaded CustomerPublicKey E is hashed and the hash value E' is compared 

20 with the result F' of decrypting, with SADPublicKey, the downloaded encrypted 
hash value F of CustomerPublicKey. If E' equals F', the verification proceeds to 
the verification of the j^pUcation's signature D, as in Fig. 3C; otherwise, the 
{plication code C is rejected. 

25 

Except for the third variant of the second embodiment of the signed download 
method, the downloaded appUcation code can be stored in the external memory 24 
of the device. 

30 

Encrypted Down-Load 
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While the procedures disclosed so fer ensure authenticify and integrity of an 
appUcation to be executed by the device, a further proposal of the invention is to 
add confidentiality. As fer as downloading of an application is concerned, 
confidentiality is achieved by encrypting the application code prior to its 
5 download. 

With reference to Fig. 4, application code to be downloaded into the device is 
enarypted to "A" with SADSecretKey, a secure architecture designer's symmetric 
key. A hash value of the application is encrypted to "B" with SADSeoretKey. The 

10 encrypted application and its encrypted hash value, A and B, are now downloaded 
into liie device. With reference to Fig. 4B, A and B are decrypted to A' ad B', 
respectively, using SADSecreflEC^ read &om the secured memory area 16. A' (the 
application code in the clear, if correctly decrypted) is hashed to B", and B" is 
compared with B' (the application's code hash value, if correctly decrypted). If 

15 B" equals B', the down-loaded and decrypted application code A' is validated; 
otherwise. A' is rejected. 

The validated application code can now be used, e.g. it can be permanently stored 
in external memory 24 but, in the preferred embodiment, it will be encrypted 
20 before it is stored. 

Ebctemal Memory Encryption 

In the scenario depicted in Fig. 5 A, q>plication code is available fixwn RAM 20 
25 after a signed and/or encrypted download, for example. Being a validated 

application, it can be stored in permanent external memory 24, but preferably not 
in the clear as fer as sensitive software code and data are concerned. 

Initially, the ASIC thus selects sensitive code and data to be encrypted. Depending 
30 on the required level of security and flexibility, an encryption key KF is used 

directly or a derived key is used. As a first option, KF is the SADSecretKey read 
tcom secured memory area 16. The selected sensitive code and data are encrypted 
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with that key and stared in external memory 24, along with other, non-s«isitive 
code and data. 

As a second option, KF is the ChipSecretKey, also read from the secured memory 
5 area. 

As a third option, a random number "KN" is used as the encryption key, KF=RN, 
RN is encrypted with S ADSecretKey read from the secured memory area 1 6, and 
the encrypted random number is stored in external memory 24 as "RNEnc". 

10 

As a fourth option, the sensitive code and data are compressed by the ASIC prior 
to oactyption. 

As a fifth option, a secret chip random number "CaiipRandomNumber*' is fetched 
1 5 from the secured memory area 16. The ChipRandomNumber and a hash value 
thereof are encrypted with encryption key KF to X and Y, respectively. The 
«icrypted random number X and its encrypted hash value Y are stored in external 
memory 24, along with the encrypted sensitive code and data and other, non- 
sensitive code and data. 

20 

As a sixth option, the sensitive code and data are hashed and encrypted with key 
KF. The result EncH is stored in external memory 24 along with the encrypted 
sensitive code and data and other, non-sensitive code and data. 

25 With reference now to Fig. 5B, and according to the respective option among 
options 1 to 6, the appropriate key KF must be determined. With key KF, the 
encrypted contents of the extanal memcay 24 are decrypted and can be \ised, e.g. 
for execution of an application. 

30 If it is option I, KF is SADSecretKey, as read from the secured memory area 16. 



If it is option 2, KF is ChipSecretKey, as read from the secured memory area 16. 
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If it is Option 3, KF is obtained by decrypting the encrypted random number 
RNEnc read from the external memory 24 with the SADSecretKey read from 
secured memory area 16, 

5 

With option 4, the decrypted contents of extemal memory 24 are decompressed 
before they are used. 

Option 5 requires an integrity check for the contents of extemal memory 24. The 
1 0 encrypted random number X and its encrypted hash value Y are decrypted to X' 
and Y' with KF, the deaypted random number X' is hashed to Y' ' and the result 
is compared with the decrypted hash value Y'. If Y'* equals Y% the content of 
extemal memory 24 is validated; otherwise, it is rejected. 

15 With option 6, integrity of the encrypted sensitive code and data is checked. 

Specifically, the encrypted hash value EncH is read from extemal memory 24 and 
decrypted to H with key KF. A hash value H' is calculated from the decrypted 
sensitive code and data. Only if both hash values H and H' are equal, ttie 
decrypted sensitive code and data are validated. 

20 

It is understood that options 4, 5 and 6 are not mutually exclusive and can be used 
separately or jointly with any of options 1 to 3. 

25 Chip - Extemal Memory Pairim 

To further protect the device, the invention proposes to uniquely link flie chip of 
the device with the contrats of the extemal memory 24 (Extemal Memory - ASIC 
Pairing). 

30 

With reference to Fig. 6, sensitive application code and data are identified within 
extemal memory 24 and encrypted to 'T' with secret chip key "ChipSecretKey*' 



wo 03/058409 




[CT/EP03/00075 



read from the secured memory area 16, and I is stored in external memory 24. The 
sensitive application code and data are such that proper execution of the 
application is impossible without successfully decrypting the code and data. The 
random number generator within the chip of the device generates a random 
5 number "RNG" which is hashed to "K". The random nvimber RNG and its hash 
value K are encrypted to "P' with "ChipSecretKey", and J is also stored in 
external memory 24. The chip is now uniquely linked to the external memory 24. 

With reference to Fig. 7, the chip verifies its pairing with external memory 24 at 
1 0 least after each reset of the device. Spedfically, J (liie encrypted random number 
and its bash value) is read from external mem<My and decrypted with 
"ChipSecretKey" to "W" and "Z". The calculated hash value of W, " Z* ", is 
compared with the decrypted hash value Z of random number W. Only if Z and Z' 
are equal, pairing is confirmed and the sensitive application code and data can be 
1 5 retrieved from I read firom the external memory by decrypting I; otherwise, some 
appropriate action is taken to prevent unintended use of the device. 

Chip Personalization 

20 

Immediately after its manufacturing, the chip of the device only has a basic 
functionaUty by software and data stored in ROM 14. Software initially stored in 
ROM 14 includes a boot procedure, a download routine, a cryptography library 
and other basic functions. Data initially stored in ROM 14 includes a Serial 
25 Number, the SADPublicKey and a hash value over the ROM content The secure 
memory area 16 will be empty, and the chip will be without defence against 
unintended use. 

Therefore, according to a further proposal of the invention, the chip is 
30 personalized before it is delivered to a customer. 
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With reference to Fig. 8, a fbrst level personalization of the chip includes storing a 
secret symmetric personalization key *TersoSecretKey'* in the secured memory 
area 16 (ISMA). An internal information field within secured memory area 16, 
"ISMAInfo", is updated to indicate that PersoSecretKey is available. A hash value 
5 ISMAContentHash over the content of the secured memory area 16 is calculated 
and also stored in the secured memory area. 

The chip can now be shipped to a customer where a second level personalization 
will be made before delivery of the chip to an end-user within a finished product. 
10 Alternatively, the second level personalization is already performed by the Secure 
Architecture Designer (SAD) before the chip is shipped to the customer or end- 
xiser. 

With reference to Fig. 9, a second level personalization is illustrated which can be 

1 5 performed by the Secure Architecture Designer or by a customer. The Secure 
Architecture Designer provides a particular personalization application the 
purpose of which is to write into the device sensitive data and information 
pertaining to the intended xise of the device. For download into the device, the 
personalization application "PersoAppli" is encrypted with the secret symmetric 

20 personalization key "PersoSecretKey'*, and a hash value of the application code is 
calculated and signed with a Secure Architecture Designer's private key 
"SADPrivateKey". Alternatively, both the application code and its hash value 
signed with "S ADPrivateKey" are encrypted with the secret symmetric key 
'TersoSecretKey" and downloaded into the device. The device will be able to 

25 decrypt the encrypted application code with "PersoSecretKey" read from the 
secured memory area 16^ and to check the signature of its hash value with 
"SADPublicKey** read from ROM 14. After execution of the personalization 
application by tiie device, all sensitive data and information have been written into 
the device, "ISMAInfo" is updated, a new "ISMAContentHash is computed and 

30 stored, 'TersoSecretKey" is erased and the application is also erased. 
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Variable Terminal Assignment 

As should be clear from the preceding description, the method of the present 
invention requires access to protected parts of the chip in order to initiate the chip 
5 with basic conjBldential and sensitive data and, in particular, those written into 
secured memory area 16. In order to protect the chip against non-authorized 
access to sensitive parts, the invention proposes a secret access channel that must 
be used to access sensitive paarts of the device. 

10 With reference to Fig. 10, the ASIC includes a silicon core body 30 with a number 
of internal chip connections 32 and a number of external terminals 34 (pins or 
pads). Within the package 36 of the ASIC, an internal row of parallel conductor 
lines 38 permits to connect any of the internal chip coimections to any of the 
external terminals 34. At least some of the assigmnents between internal chip 

1 5 connections 32 and extemal terminals 34 are variable and are materialised by 
selectively operated switches such as switches 40, 42 in Fig. 10. In order to 
establish a secret access channel, selective ones of the switches 40, 42 are closed 
and, after use of the secret channel such as for the above personalization steps, can 
be opened and left open. 

20 

Intrusion Detection 

Whenever an intrusion of any kind is detected, appropriate steps are taken to 
prevent unintended use of the device. Typically, the contents of the secured 
25 memory area 16 are erased. 

With reference to Fig. 1 1, the ASIC 10 includes an intrusion detector 50. In the 
proposed embodiment, tiie secured memory area 16 within ASIC 10 is a RAM 
that needs a continuous power supply to maintain information stored therein. 
30 Secured memory area 1 6 (RAM) receives power from an extemal battery 52 
connected to extemal supply and ground terminals of the ASIC. A controllable 
switch 54 is inserted in the supply path of memory area 16. Switch 54 is normally 
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closed and is controlled by intrusion detector 50. Intrusion detector 50 has a 
number of inpiits connected to corresponding monitoring devices. One such 
monitor device can be a photo-transistor 56 that wovild detect any penetrating 
into the chip package upon physical attack of its envelope. Another monitor 

5 device can be a temperature sensor 58 that would detect any abnormal 

tempCTature. The iatrusion detector 50 is also connected to the main device power 
supply and to ground and would detect any abnormal supply voltage or powCT 
consumption. Yet another input to intrusion detector 50 is connected to the system 
clock generator 60 and would detect any abnormal clock rate. A watch-dog 62 

10 connected to a furflier input of intruaon detector 50 would detect any abnormal 
tibsence of activity ftom microprocessor 12 within a given time. Any feilure of an 
integrity, authenticity or signature check is also signalled from microprocessor 12 
to the intrusion detector 50. 

15 Each abnormal condition signalled to the intrusion detector 50 by any of the 
monitor devices would cause the switch 54 to be opened, and all infiinnation 
within the secured memory area 16 would be erased. 
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Claims 



1 . A mefhod of protecting a device against unintended use in a secure 
5 environment, the device being adapted to execute applications that involve 

conditional access to at least one of valuable contents and services, and the 
device including an integrated circuit that has a central processing unit, an 
internal memory and input/output coimections.for external memory 
incorporated on a single chip, characterized in that said external memory 
10 and said chip are uniquely linked by encrypting sensitive application code 

and data with a secret key stored in a secxired memory area of the intemal 
memory, the encrypted code and data being then stored in said external 
memory. 

15 2. The method of claim 1, wherein a random number and a hash value of the 
random number are also enaypted with said secret key and stored in the 
external memory, the encrypted random number and hash value are 
decrypted witii the secret key at least on each reset of the device, and 
decryption of the encrypted sensitive code and data are only allowed if the 

20 decrypted hash value equals a hash value calculated from the decrypted 

random number. 

3 . The method of claim 1 or claim 2, characterized in that application code 
down-loaded into the device is signed with a private key of an asymmetric 
25 key pair and proper execution of the application is subject to a verification 

of the signature with a public key of said key pair- 
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The mefliod of claim 3, wherein the signature is generated by obtaining a 
hash value from said application code and encrypting the hash value with 
the private key. 
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5. The method of claim 3 or claim 4, wherein the pubUc key of said key pair 
is stored in an internal read only memory of the device. 

6. The method of claim 3 or claim 4, wherem the public key of said key pair 
is stored in an internal secured memory area of the device. 

7. The method of claim 3 or claim 4, wherein a secure architecture 
designer's public key is stored in an internal read only memory of the 
device, a customer's public key is signed with the designer's private key 
and stored in the external memory, the customer's public key is retrieved 
by decrypting with the designer's public key read from the read only 
memory, the encrypted customer's public key read from the extemal 
memory, and the signature is verified. 

8. The method of claim 3 or claim 4, wherein the public key of said key pair 
is downloaded with the signed application code and a hash value of the 
public key is encrypted with a private key the corresponding public key of 
which is stored in intemal read only memory of the device, and the 
encrypted hash value is also downloaded to the device. 

9. The method of any of claims 1 to 8, wherein the application code is 
downloaded into the device, encrypted with the secret key and stored in 
the extemal memory. 

10. A method of protecting a device against unintended use in a secure 
environment, the device being adapted to execute applications that involve 
secure transactions and/or conditional access to valuable contents and/or 
services, and the device including an integrated circuit that has a cmtral 
processing unit, an intemal memory and input/output connections for 
extemal memory incorporated on a single chip; 



characterized in that 
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a) any appUcation code downloaded into the device is sigaed with 

key of an asymmetric key pair and proper execution of the application is 
subject to a verification of the signature with a public key of said key pair; 

b) said extemal memory and said chip are uniquely linked by encrypting 
sensitive application code and data with a secret key stored in a secured 
memory area of the internal memory and storing the encrypted code and 

data in the extemal memory; 

c) a random number and a hash value ofthe random number are also 

encrypted witii said secret key and stored in the extemal memory; 

d) on each reset ofthe device, the encrypted random number and hash value 

are decrypted with the secret key, and decryption ofthe encrypted 
sensitive code and data are only allowed if the decrypted hash value equals 
a hash value calculated firom the decrypted random number. 

1 1 . A method according to any ofthe preceding claims, characterized in that, 
after manufacturing ofthe chip and prior to delivery to a customer, a secret 
access channel is estabUshed to write a secret personalization key into the 
secure memory area. 

12. The method of claim 11, wherein the content ofthe secure memory area is 
protected by calculating a hash value ofthe secure memory area content 
and writing the hash value into the secure memory area. 

13. The method of claim 1 1 or 12, wherein a personalization application is 
signed with a Secure Architecture Designer's private key and then 
encrypted with the secret personalization key, the personalization 
application is loaded into the device and decrypted witii the secret 
personalization key, the signature ofthe personalization application is 
checked with the Secure Architecture Designer's public key, and the 
personalization application is executed to write sensitive personalization 
data into the secure memory area. 
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14. The method of claim 1 1 or 12, wherein a personalization application is 
encrypted with a secret symmetric key stored m a secured memory area of 
the device, a hash value of the personalization application is signed witii a 
Seciire Architecture Designer's private key, the encrypted personalization 
application and the signed hash value are loaded into the device, the 
personalization application is decrypted with the secret symmetric key, the 
signature of the hash value is checked with the Secure Architecture 
Designer's public key stored in the read only memory of the device, and 
the personalization application is executed to write sensitive 
personalization data into the secure memory area, 

15. The method of claim 1 1 or 12, wherein a personalization application and a 
hash value of the personalization application signed with a Secure 
Architecture Designer's private key are encrypted with a secret symmetric 
key stored in a secured memory area of the device, the encrypted 
personalization application and signed hash value are loaded into the 
device, the personalization application and signed hash value are 
decrypted with the secret symmetric key, the signature of the hash value is 
checked with the Secure Architecture Designer's public key stored in the 
read only memory of the device, and the personalization application is 
executed to write sensitive personalization data into the secure memory 
area. 

16. A method according to any of the preceding claims, characterized in that 
the external memory includes a RAM and the chip has a bi-directional 
encryption/decryption hardware interface ensuring high performance and 
yet encrypted exchange of data between the chip and the RAM. 

17. A device for executing applications that involve conditional access to at 
least one of valuable contents and services, including an integrated circuit 
that has a central processing unit, an internal memory and input/output 
cormections for extemal memory incorporated on a single chip, 
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characterized in that the internal memory includes a secured memory area 
accessible to the central processing unit only and containing a secret 
encryption key used for encryption of sensitive data stored in the external 
memory. 

18. The device according to claim 17, wherein said chip includes a random 
number generator. 

1 9. The device of claim 18, wherein a hash value is obtained from a random 
number generated by the random number generator, the random number 
with its hash value are encrypted with said secret key, and the encrypted 
random number with its hash value are and stored in the external memory. 

20. The device according to any of claims 17 to 19, wherein encryption is 
linuted to sensitive application code and data. 

21. The device according to any of claims 17 to 20, wherein said external 
memory is a flash memory. 

22. The device according to any of claims 17 to 21, wherein a secret device 
key associated with each particular device is stored in said secured 
memory area, sensitive data are encrypted with said secret device key, the 
encrypted sensitive data are stored in the external memory and the 
encrypted sensitive data in Ihe external memory are decrypted and verified 
at least at each reset of the device. 

23. The device according to any of claims 17 to 22, wherein said secured 
memory area includes a signature verification public key used for 
verification of a signature attached to application code to be executed by 
the device. 
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24. The device according to any of claims 17 to 22, wherein application code 
to be executed by the device is stored in said external memory with an 
attached signature and with a signature verification key encrypted with a 
private key, a corresponding public key being stored in the read only 
memory of the device. 

25. The device of claim 23 or claim 24, wherein an encrypted hash value of 
sensitive application code and data is added to application code stored in 
said external memory. 

26. The device according to any of claims 17 to 25, wherein said secured 
memory area includes personalization data pertaining to an intended use, 
an intended customer and an intended configuration of the device. 

27. The device according to claim 26, wherein said external memory includes 
an application code storage into which application code can be loaded 
subject to compliance with said personalization data. 

28. The device according to any of claims 17 to 27, wherein said secured 
memory area is loaded with at least one secret key and a hash value of the 
content of the secured memory area prior to delivery of the chip to a 
customer. 

29. The device according to any of claims 17 to 28, wherein the chip 
comprises intrusion detection means for, in response to a detected 
intrusion, erasing at least essential parts of said secured memory area. 

30. The device accordmg to any of claims 17 to 29, wherein the chip includes 
a watch-dog and the chip is reset or at least essential parts of said secured 
memory area are erased when no activity is detected by the watch-dog 
within a predetermined time. 
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3L The device according to any of claims 17 to 30, wherein the chip includes 
a clock monitor and any abnormal variation of the chip clock rate causes 
the chip to reset or at least essential parts of said secured memory area to 
be erased. 

32. The device accordiag to any of claims 17 to 31, wherein said chip has 
outer connection terminals that are variably assigned to internal 
connections, and a secret terminal assignment is used to supply secret keys 
and/or procedures to said memory. 

33. The device of any of claims 17 to 32, comprising a read only memory area 
that contains mandatory authenticity verification code allowing an 
application to be executed by the device only after successful verification 
of authentidty, the secret memory area also containing authenticity 
verification data, and wherein said authenticity verification code is 
contained in a boot procedure. 

34. The device of claim 33, wherein said internal memory includes a ROM 
and at least part of said authenticity verification data is obtained by 
applying a predetermined hash fimction to at least a predefined part of the 
ROM content 

35. The device of claim 34, wherein said authenticity verification code applies 
said predetermined hash fiinction to said predefined part of the ROM 
content and compares the hash value with a corresponding part of the 
authenticity verification data. 

36. The device according to any of claims 33 to 35, wherein said at least part 
of said authenticity verification data is obtained by applying a 
predetermined hash function to the content of the secured memory area. 
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37. The device of claim 36, wherein said authenticity verification code applies 
said predetermined hash ftinction to the content of the secured memory 
area and compares the hash value wifli the corresponding part of the 
authenticity verification data. 
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figure 3A 

C&D received by the ASIC 

SignDownHash(C)=C' 



1st option 



{appli signed by 
SADPrivateKeyl 



SigDDowDEnc'LSADPublicKcy(D>=D' 




No 




> ► 


Erase C 



Store Appli in RAM using 
encryption hardware interface 
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figure 3B 



C&D received by the ASIC 



I 



SignDownHash(C)=C' 



2nd option 



{appli signed by 
CustomerPrivateKcyl 



(option 2a) 



{CustomerPublicKey 
inlSMA) 



Load CustomerPublicKey 
fromlSMA 



SignDownEncLCustomerPublicKeyCD)=D' 




VaUdated Appli C 



Store Appli in RAM using 
encryption hardware interface 
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F igure 3C 



C&D received by the ASIC 



I 



SignDownHash(C)=C' 

•~T~ 



2nd option 



{appli signed by 
CustomerPrivateKey } 



(Option 2b) 
▼ 



(CustomerPublicKey 
in External Memory) 



CustomerPublicKey = 
SignDownEnc^l,SADPublicKey(E ncCustomerPubUcKey) 

I 






Validated Appli C 








r 




Store Appli in RAM using 
encryption hardware interface . 
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F igure 3D 

C&D&E&F received by the ASIC | 



2nd option 



(c) 



{appli signed by 
CuslomerPrivateKcy } 

{ CustomerPublicKey 
with downloaded data} 



SignDownHashCB)=E' 



SignDownEnc^L 
SADPubUcKey(F)=F' 




BraseC 



CustomerPublicKey=E 



SignDownEnc-LCustom erPuMicKey(P)~D' 



SignDownHash(C)=C* 




Erase C 



Validated Appli C 



Store Appli in RAM using 
cn<^ption hardware interface 
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Figure 4B 



EncDown Process 



EncDown-LSADSecretKey(A)=A' 
EncDown-*SADSecretK ey(B)=B * 

T 

EncDownHash(A')=B " 




Yes 



Validated downloaded 
appli A' 



Store A' in External Memory 
using External Memory Encryption process 
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figure 5A 

ASIC received data for example from RAM 
that are now in clear and should be stored in External Memory 



ASIC selects sensitive Soft&Data to be encrypted 










(option 4) ASIC compresses data 












(option 3) ASIC generates RN 
KF=RN 









Gets KF in ISMA 
1 » 1 








Encnash_KF(Sensitive Soft&Data) 
(Option 6) EncHasli_KF(EncHashHash(sensitive Soft&Data)) 
(Options) EncFlash^SADSecretKey(RN)=RNEnc 




(option 5) gets ChipRandomNumber in ISMA 
EncFIaslUCF(ChipRandomNumber-3ncFlashHash(ChipRandoniNmnber)) 



I 



Store in External Memory 
• EncRasli_KF(Sensitive Soft&Data) 
• (Option 6) EncFlash_KF(EncFlashHash(sensitive Soft&Data)) 
• Other non sensitive data 
• (Options) EncFlash_SADSecretKey(RN)=RNEnc 
• (option 5) EncFlashJJ(ChipRandomNuniber3ncHashHash(ChipRaiidomNumber)) 
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figure 5B 



ASIC receives encrypted data from External Memory 



(Options) 
ASIC gets SADSearetKey in ISMA 
EncFlash-LSADSecretKey(RNEttc)=RN=KF 



Gets KF in ISMA 



(option 5) 
EncHash-ija'(X;Y)=(X*;Y') 
EncFlashHash(X')=Y" 




Flash Content not validated 



EncFlash-iJCF(EncSoft&Data)=DecSoft&Data 



(Option 6) 
EncFlash-LKF(EncH)=H 
EncFiashHash(DecSoft&Data)=:H* 




DecSoft&Data not validated 



(option 4) ASIC decon^>resses data 



ASIC has Soft&Data available in clear 
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figure 6 



ASIC selects sensitive Soft&Data 



EncHash_ChipSecretKey(Sensitivc Soft&Data)=I 



ASIC generates RNG 



EncFlas/tHash(RNG))-K 



EncHash_CIupSecretKey(RNG;K) 
J 



ASIC stores I & J in External Memory 
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figure 7 



At least after eadi reset : 
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Content 
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figure 8 

PcrsoSecretKey stored in ISMA 

ISMAInfo updated to 
indicate that PcrsoSecretKey is available 

ISMAContenlHash calculated and 
stored in ISMA 



ISMA after First level personalization 

ASIC ISMA.: 



1 

i 
t 
1 


/ PcrsoSecretKey 


1 
1 


f ISMAInfo 


1 
i 

1 
1 
1 
1 

1 


f ISMAContentHash 


1 

1 

1 
1 
1 
t 
1 
1 
1 
1 
1 





wo 03/058409 



T/EP03/00075 




CO 

a: « 

li 

CO -a 



wo 03/058409 ^|||^ ^^^T/EP03/00075 

16/17 




/ 



WO 03/058409 



17/17 



:T/EP03/00075 




(12) INTERNATIONAL APPL] 



(19) World InteUectual Property 
Organization 
International Bureau 

(43) International Publication Date 
17 July 2003 (17.07.2003) 




Rec'd PCT/PTO^ OCT 2( 

DOpSRtION TREAT1 

l®/5009S^ 

llilllii 



PCX 



(10) International Publication Number 

wo 2003/058409 A3 



(51) International Patent Classification'': 
(21) International Application Number: 



G06F1/00 



PCT/EP2003/000075 
(22) International Filing Date: 7 Januaiy 2003 (07.01.2003) 

(25) Filing Language: English 

(26) Publication Language: English 



(30) Priority Data: 

102 00 288.6 



7 Januaiy 2002 (07.01.2002) DE 



(71) Applicant (for all designated States except US): 
SCM MICROSYSTEMS GMBH [DE/DE]; Os- 
kar-Messter-Strasse 13, 85737 Ismaning (DE). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): BRESSY, Philippe 

[FR/FR]; 8, rue du Lancon, F-83190 Ollioules (FR). 
LOISEL, Yann [FR/FR]; Lotissement Le Revestin, 
Chemin des Severiers, F-13600 La Ciotat (FR). 

(74) Agent: DEGWERT, Hartmut; Prinz & Partner, 
Manzingerweg 7, 81241 Miinchen (DE). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH. CN, CO, CR, CU, 



CZ, DE, DK, DM, DZ, EC, EE, ES, H, GB, GD, GE, GH, 
GM. HR, HU, ID, XL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, OM, PH, PL, PT, RO, RU, SD, SE. SG. 
SK, SL, TJ, TM, TN, TR, IT, TZ, UA, UG, US, UZ, VN, 
YU, ZA, ZM, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE, 
ES, FX, FR, GB, GR, HU. IE, IT, LU, MC, NL, PT, SE, SI, 
SK, TR), OAPI patent (BF, BJ, CF, CG, CI, CM, GA, GN, 
GQ, GW, ML, MR, NE, SN, TD, TG). 

Published: 

— with international search report 

— before the expiration of the time limit for amending the 
claims and to be republished in the event of receipt of 
amendments 

(88) Date of publication of the international search report: 

17 June 2004 

For two-letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes andAbbre\nations" appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



(54) Title: PROTECTING A DEVICE AGAINST UNINTENDED USE IN A SECURE ENVIRONMENT 



On 
00 

in 

o 



ASIC 



ROM 



.14 



Memory Area 
CSMA 



24 

26 



20 



22 



12 



X — 



^16 



18 



RAM 



.10 



— 28 



sc --30 



(57) Abstract: A method and device are disclosed for executing applications that involve secure transactions and/or conditional 
access to valuable contents and/or services. The device includes an integrated circuit that has a central processing unit, an internal 
memory, input/output connections for external memory and connection ports for an external interface circuit incorporated on a single 
chip. The internal memory includes a secured memory area accessible to the central processing unit only. The secret memory area 
contains a secret encryption key used for encryption of sensitive data stored in the external memory. Preferably, the chip includes a 
random number generator. A hash value is obtained from a random number generated by the random number generator, the random 
number with its hash value are encrypted with the secret key, and the encrypted random number with its hash value are stored in the 
external memory. As a result, the device has a chip that is uniquely paired with the external memory. 



INTERNATIOj 



m 



SEARCH REPORT 



Inten 

PCI 



m 



pplicatlon No 

3/00075 



A. CLASSIRCATION OF jSUBJECT MATTER 
IPC 7 GO6FI/OO 



Aocording to International Patent Classification (IPC) or to both national classification and IPC 



B. RELDS SEARCHED 



Mlnlnuim documentation searched (classification system foDowed by classification symbols) 

IPC 7 G06F G07F G06K 



Documenlalion searched other than minimum documentation to the extent that such documents eue Included In the fields searched 



Electronic data base consuited during the International search (name of data base and, where practical, search terms used) 

PAJ, WPI Data, EPO-Internal 



C. DCX:UMENTS CONSIDERED TO BE RELEVANT 



Category *• Cuatum d document, with Indication, where appropriate, of the relevant passages 



Relevant to claim No. 



wo 00/19299 A (HUGHES ELECTRONICS CORP) 
6 April 2000 (2000-04-06) 



page 1, line 18 -page 2, 11 
page 5, line 15 -page 6, 11 



ne 1 
ne 3 



1,9.17, 
18, 

20-22, 
26-37 

3-8, 
23-25 



page 

page 
page 
page 
page 
page 
page 
page 



8, line 1 - line 14 
12, line 10 -page 13, line 6 
7 - line 10 
11 - line 12 
6 - line 7 
9 - line 10 
6 - line 20 
14 - line 15 



21. 
33, 
40. 
47. 
70, 
74, 



figures 



line 
line 
line 
line 
line 
line 
1-3 



-/- 



HI 



Further documents are listed In the continuation of box G. 



Patent family members are listed In annex. 



o Special categories of dted documents : 

"A* document defining the general state of the art which Is not 

considered to be of particular relevance 
"E' earlier document but published on or after the international 

filing date 

'L' document which may throw doubts on priority clalm(s) or 
which is cited to establish the publication date of another 
dtatlon or other special reason (as specifiecl) 

'C document referring to an oraS disclosure, use. exhibition or 
other means 

'P' document published prior to the International filing date but 
later than the prtortty date dalmed 



■T* later document published after the international filing date 
or priority date and not In conflict with the application but 
dted to understand the principle or theory underlying the 
Invention 

*X* document of particular relevance; the claimed Invention 
cannot t>e considered novel or ceinnot be considered to 
involve em inventive step when the document is taken alone 

■Y" document of particular relevance; the claimed invention 

cannot be considered to involve an Inventive step when the 
document is combined with one or more other such docu- 
ments, such combination being obvious to a person sMited 
in the art 

document memt>er of the same patent family 



Date of the actual completion of the International search 



29 April 2004 



Date of mafiing of the Intematlonal search report 



07/05/2004 



Name and malDng address of the ISA 

European Patent Office, P.B. 5818 Patentlaan 2 
NL>2280HVRijswijk 
TeL (+31-70) 340-2040, Tk. 31 651 epo nl. 
Fax (+31-70)340-3016 



Authorized officer 



Arbutina, L 



Form PCT/1SA/21Q (second sheet) (January 2004) 



INTERNATION 



m 



EARCH REPORT 



Inten 

PCT 



plication No 

3/00075 



C.(Continuatlon) DOCUMENTS CONSIDERED TO BE RELEVANT 



Category « Citation of document, witli Indication, where appropriate, of ttie relevant passages 



Relevant to claim No. 



EP 1 168 172 A (FUJITSU LTD) 
2 January 2002 (2002-01-02) 
column 1, paragraphs 2-5 
column 10, paragraph 42 
column 12, paragraph 56 -column 16, 
paragraph 82 
figure 1 

US 6 061 449 A (SPRUNK ERIC ET AL) 
9 May 2000 (2000-05-09) 

column 1, line 18,25-28 
column 5, line 44 - line 50 
column 8, line 46 - line 50 
column 9, line 48 - line 51 
column 12, line 13 - line 27 
column 17, line 60 -column 25, line 19 
column 26, last line -column 27, line 5 
column 28, line 48 - line 51 
figure 1 



1,3-9, 
17,20-28 



1,3-9, 
17,18, 
20-32 



US 2001/018745 Al (LACZKO FRANK L 
30 August 2001 (2001-08-30) 
page 2, paragraphs 21,26 
page 4, paragraph 37 
page 5, paragraph 44 
page 6, paragraph 49 
figure 1 



ET AL) 



3-8, 
23-25 



Foim PCT/ISA/210 (continuation of second sheet) (Januaiy 2004) 



INTERNATIONAL SEARCH REPORT 

on patent family members 



Inter 

PCT 



m 



ppllcatlon No 

3/00075 



Patent document 
dted in search report 


Publication 
date 


Patant family 
member(8) 


Publication 
oai© 


UO 0019299 


A 


06-04-2000 


WO 


0019299 Al 


06-04-2000 








AU 


743775 B2 


07-02-2002 








AU 


1062399 A 


17-04-2000 








CA 


2309627 Al 


06-04-2000 








EP 


1032869 Al 


06-09-2000 








JP 


2002526822 T 


20-08-2002 



EP 1168172 


A 


02- 


•01- 


-2002 


JP 


2002014871 A 


18-01-2002 










EP 


1168172 A2 


02-01-2002 












US 


2002002676 Al 


03-01-2002 


US 6061449 


A 


09- 


-05- 


-2000 


CA 


2249554 Al 


10-04-1999 










CN 


1236132 A 


24-11-1999 












EP 


0908810 A2 


14-04-1999 












IL 


126448 A 


14-08-2002 












TW 


445402 B 


11-07-2001 


US 2001018745 


Al 


30- 


-08- 


-2001 


US 


6266754 81 


24-07-2001 










EP 


0961193 A2 


01-12-1999 












JP 


2000138917 A 


16-05-2000 



Fomt PCT/lSA/210 (patent family max) (January 2004] 



